系统会提示首次登录基于应用的 CA 支持的应用（如 OneDrive 或 Outlook）的最终用户安装代理应用并向 Azure AD 注册设备。End-users signing in for the first time, to an app that is supported by app-based CA, like OneDrive or Outlook, are prompted to install the broker app and register the device with Azure AD.Azure AD 中的设备注册（以前称为工作区加入）会创建针对其颁发令牌的设备记录和证书。Device registration in Azure AD (previously known as Workplace Join) will create a device record and certificate against which tokens are issued.这与 MDM 注册不同。This is not the same as MDM enrollment.不会应用管理配置文件或应用，并且设备上没有应用的清单。There are no management profiles or policies that are applied, and there is no inventory taken of apps on the device.安装代理应用并注册设备的过程只在首次使用托管应用时进行。The process of installing the broker app and registering the device will only happen on the first use of a managed app.

下面是直接派生自该设备的属性列表：The following is a list of properties that are directly derived from the device:

备注

必须在设备上安装公司门户应用，但最终用户不必登录到应用。It is required that the Company Portal app is installed on the device, but end-user is not required to log in into app.

必须通过 OneDrive 或 Outlook 应用完成设备注册。Device registration must be done through the OneDrive or Outlook app.

从 Azure AD 注册删除设备。To remove a device from Azure AD registration.

可通过 Azure AD 管理控制台删除设备注册，IT 管理员通常采用此种方式。You can remove the device registration either through the Azure AD admin console which is typically done by the IT admin.还可由最终用户在设备本身完成删除操作。It can also be done by the end-user on the device itself.

用于访问服务的设备是 Intune 托管并符合 Intune 设备合规性策略，或者是已加入域的电脑。The device used to access the service is Intune-managed and compliant with the Intune device compliance policy, or it is a domain-joined PC.下面是一些示例，可帮助说明这一点：Here are some examples to help illustrate this:

如果用户尝试从本机 iOS 电子邮件应用进行连接，则需要位于托管且符合的设备上，因为基于应用的 CA 不支持本机邮件应用。If a user tries to connect from the native iOS email app, he or she will be required to be on a managed and compliant device since the native mail app is not supported by app-based CA.

如果用户尝试从 Windows 家庭电脑进行连接，则设备 CA 策略会进行应用，从而要求用户必须使用已加入域的电脑。If a user tries to connect from a Windows home PC, the Device CA policy will apply, requiring that the he or she must use a domain-joined PC.